Little Shield

A hardware-based firewall solution offers several advantages over a simple personal firewall application. In theory, a hardware firewall can prevent dangerous packets from even reaching the system it is protecting, keeping threats safely at arm's length. An outside firewall device also assumes the performance cost of protecting the system, using its own CPU cycles for packet filtering so the user system is free for user tasks.

Hardware-based firewalls are extremely common on corporate networks, but when a user takes to the road with a laptop, the situation is not so clear. Hotels and coffee house hotspots often have their own firewalls, but the user typically has no knowledge or control of the security configuration. In the past, the only option for a uniform security configuration was a personal firewall. Now, a company called Yoggie Security Systems [1] is trying to change that. Yoggie packs a complete Linux-based firewall appliance – complete with a 520MHz CPU, 128MB RAM, and 135MB Flash memory – on a compact USB stick (Figure 1). This firewall on a stick, which is known as the Yoggie Gatekeeper Pico, is available in Personal and Pro Editions for corporate use, as well as in a basic Firestick Pico version for home users. Prices range from US$ 120 to 200.

The Gatekeeper Pico is designed as a Unified Threat Management (UTM) device, which means that it integrates several security tools. According to the product description, the tool comes with 13 security applications. The open source components [2] include iptables/Netfilter as a stateful firewall, the http antivirus proxy HAVP, an SMTP proxy, and a number of others. On top of these open source tools are a number of commercial applications: Snort with Sourcefire VRT rules as an IDS/IPS; the Kaspersky engine, which checks for viruses and spyware; Mailshell, which identifies and tags spam and phishing; and the SurfControl web content filter.

Although the Pico family [3] runs on Linux, the firesticks are designed to protect Windows XP and Vista systems, with the emphasis on notebooks. We had three Gatekeeper Picos to experiment with, so we decided to see how well this gatekeeper kept watch.

How It Works

A Pico device does not have a separate network adapter. A driver running on the host system intercepts incoming network packets and sends them to the Gatekeeper stick. The Yoggie driver inhabits the NDIS (Network Driver Interface Specification) layer [4] between Windows' TCP/IP protocol stack and the local network adapter (Figure 2). Yoggie offers drivers for XP and Vista systems.

The Gatekeeper device filters the incoming data, and only packets that pass the filtering rules are forwarded back to Windows. The big advantage of this approach is that the Gatekeeper device is independent of the network architecture. If the necessary driver is up and running, the Gatekeeper Pico can handle traffic from any kind of network connection: Ethernet, WLAN, or even infrared.

A virtual network adapter is assigned to the host system with a separate IP address and subnet mask to receive data forwarded from the Gatekeeper system. The firestick thus acts like a real router, forwarding authorized packets to the virtual adapter address for processing by the host. In addition to its security tasks, the Yoggie appliance also attends to other routing-related tasks such as NAT (Network Address Translation). The path from Windows to the network is again via the Gatekeeper device. The virtual interface sends outgoing data to the USB stick, which filters the network traffic and sends it through the Windows driver to the physical network adapter (Figure 3).

After installation, a Yoggie icon in the task bar confirms that the system is ready for use. Because Yoggie is a separate computer, it has to boot. This happens when you plug the device into the USB port and takes about 30 seconds. Three LEDs show when the stick is done booting. It then updates its software, engines, and patterns (antivirus, antispam) with an SSL tunnel to the Yoggie update server.

Although Yoggie fulfills its obligations as a packet filter, the user interface, which is accessible in a browser (Figure 4), hides the underlying iptables filter rules from the user. This filtering information might be confusing to non-experts, and it makes sense to hide it by default, but the rules should be accessible to experts who need to make sure the firewall implements their policies correctly.

Locked Out

Despite all restrictions that the configuration interface puts in place, the tester succeeded in deliberately misconfiguring the device so badly that it refused any access. One stick had failed before, so I only had one fully functional device left to experiment with. The incorrect configuration was caused by a tester entering an address of 195.169.118.0 with a netmask of 255.255.255.0 as the internal Yoggie network. Unfortunately, this is not a private address block, and the Yoggie GUI automatically corrected the setting to 192.168.118.0/24. The stick booted in the normal way and worked fine for the most part, but I was unable to access the administration GUI.

The web filter in the gatekeeper appliance is based on SurfControl. The software implements an enterprise web policy. If a user inadvertently or deliberately attempts to access prohibited web content, the filter displays a warning instead of the web page. The current version does not let you change the error message. It might make more sense for companies to be able to modify this to display a message with the mail addresses and phone numbers of the IT department before distributing Yoggie sticks to their field staff. After all, if the web filter denies access to a legitimate site, the user is definitely going to need help.

The SurfControl mobile filter can compete with the Websense remote client, which is more established in the enterprise market. Unfortunately, Websense acquired SurfControl in January 2008 and immediately discontinued the SurfControl web filter but promises to maintain the URL database until December 2011 for existing customers [5].

Gatekeeper does not protect against malware entering through an encrypted connection (i.e., https). Interestingly, Yoggie supplies a one-year license of the Kaspersky antivirus scanner with each Gatekeeper. This scanner runs directly on the laptop, thus providing a second line of defense against viruses entering via https.

Hole in the Firewall

In our lab, author Jörg Fritsch discovered a major vulnerability in the Yoggie Gatekeeper Pico, Version 1.3.8, that allows attackers to work around the firewall and to directly attack the target system. This attack requires that the attacker be on the same subnet as the target system's physical interface. This is the case not only on an enterprise LAN, for example, but also on an Ethernet network at a hotel or with a WLAN hotspot at the airport. Of course, these are exactly the kind of hostile environments for which Yoggie is designed to protect users. The proof-of-concept attack involves four steps:

Step 1: A Nessus scan of the Yoggie-protected system would seem to indicate that the IP address belonging to the physical interface is perfectly protected – the system does not react to any kind of packets sent to it. Surprisingly, a UDP traceroute reveals the internal IP address belonging to the Yoggie stick; that is, the address the stick uses to communicate with the host system.

Step 2: Initially it is impossible to scan the internal address because its subnet is unknown and not routed. Our test team chose a suitable group 16 subnet mask that would work in any case and set up a route to the subnet on the attacking machine. The physical interface of the protected system was used as the gateway address.

Step 3: An Nmap scan of the new routed group 16 subnet revealed two addresses: the Yoggie firewall appliance's internal address and that of the new virtual host adapter.

Step 4: A final Nessus scan of both IP addresses revealed the vulnerability: The host state is visible to Nessus as if Yoggie was not in place. Nothing is there to stop an attacker from exploiting vulnerabilities on the host system.

The author immediately disclosed the vulnerability to Yoggie (on the night of March 16/17, 2008), and the manufacturer developed an update to version 1.3.9 within 36 hours to remove the security hole. The response time was fast, but the vendor's information policy not exemplary. The company responded negatively to various inquiries as to when Yoggie would be releasing an advisory on the vulnerability, stating that Yoggie automatically installs updates and this was far more than a classical advisory could ever hope to achieve. The only reference to the security disaster is in a history file on the firmware [8]:

This is not a convincing argument. If a stick does not have an online connection, the system is still vulnerable; and even if a connection exists, there is still a race condition that leaves the host vulnerable. Because the attacker has to be on the LAN, situations in which the system would be vulnerable to attacks while the gatekeeper was installing an update are conceivable. Corporate mode also allows the administrator to say which updates are installed on sticks. The terse comment quoted above makes it impossible for users to realize the full potential of the threat. Yoggie still had not revealed the bug two months after the event.

At first, Yoggie failed to give a full explanation of the vulnerability, but then they confirmed our suspicions. Basically, the gatekeeper acts as a NAT router, like any normal Linux firewall, the only exception being the connection to the Windows system. This means that all precautions that apply to the firewall configuration apply here, too. The Yoggie stick created netfilter rules, but without specifying interfaces: the -i and -o parameters thus only applied to the IP addresses.

The proof-of-concept attack sent packets directly targeted at the internal address to the external interface. The Linux kernel's internal routing algorithms correctly forwarded the packets without a firewall rule intervening.

Advertising with the Pentagon

Yoggie's marketing people advertise a "layer 8 engine" designed to protect customers against previously unknown zero-day attacks. The company claims to have a patent pending on the technology, but the name is confusing because the OSI reference model only has seven layers. The Yoggie box promises "Pentagon-level protection in the palm of your hand." When asked, the company, based in Israel, admitted that it had nothing to do with the Pentagon and that the sentence was simply intended to emphasize the product's revolutionary nature.

Before a product is deployed in the Pentagon, it has to pass various tests and achieve various certifications (i.e., Common Criteria, EAL, FIPS). The Yoggie Gatekeeper Pico does not have these certifications. Also, the Pentagon requires that certain IT security products be produced in the USA, whereas Yoggie is made in China. The ambitious Pentagon statement is misleading, but beyond the PR bravado, Yoggie does at least provide solid security technology and good spam and phishing detection. By default, the Gatekeeper marks the subject line in unsolicited, incoming mail with [SPAM], [POSSIBLY SPAM], or [PHISHING] tags. Yoggie relies on the Mailshell engine [6] and the open source SMTP proxy, ProxSMTP, for filtering mail.

A full-fledged Linux computer on a USB stick: Yoggie uses this astonishing hardware trick to protect Windows machines against Web-based attacks. But there are some things that do not work as intended by the developers as an exhaustive test in Linux Magazine #94 / September will reveal. Just a few simple tricks were all it took to work around the firewall.

Professional users are always searching for an edge. Whether you work with Linux as a webmaster, programmer, system administrator, or security consultant, you know the best solution depends on finding the right tool for the job. We thought you might be interested in the following new products and updates.